date:20150213

Re: [PHP-DB] Re: Code Security

2015-02-13 Thread Guru

Put a redirect code in www folder to your index page.
On Feb 13, 2015 10:55 PM, "Karl DeSaulniers"  wrote:

> Set up a password or a salt that Mr. Nice has to call you to get and
> expires on logout.
>
> Lol
>
> Best,
> Karl
>
>
> Sent from losPhone
>
> > On Feb 13, 2015, at 8:47 AM, erosenb...@hygeiabiomedical.com wrote:
> >
> >
> > Ethan,
> > It seems like you're looking for a programmatic solution to a physical
> > security problem. In the end, your most viable solution will likely
> > be to train Mr. Goodguy to remove the key the same way he needs to
> > remember his ATM card after a withdrawal. I've seen programmatic
> > work-arounds to solve similar issues, but they have always ended up
> > being significantly arduous for the end users...
> > Respectfully,
> > Joshua D. Arneson
> > -Original Message-From: Ethan Rosenberg
> > [mailto:erosenb...@hygeiabiomedical.com] Sent: Friday, February 13,
> > 2015 9:12 AMTo: php...@lists.php.netSubject: Re: [PHP-DB] Code
> > Security
> > On 02/13/2015 02:58 AM, Karl DeSaulniers wrote:> Prevent THIS from
> > ever happening.>> On Feb 12, 2015, at 11:03 PM, Ethan Rosenberg
> > wrote:>>> He asks Mr.[naive]Nice if he could look at the computer
> > while it is logged in.>>> Otherwise, I would say an external key that
> > has a salt stored on it that the user has to insert in the computer
> > before the system can be accessed.> Like an access key card. Immediate
> > shut down when tampered and/or removed.>> Just a stab in the dark
> > though.>> Best,>> Karl DeSaulniers> Design Drumm
> > Karl -
> > Thanks.
> > The key is already plugged in. Mr [Naive] Nice is using the computer,
> > and is logged in. Mr. Ugly just want to "look at" the computer.
> > Ethan--
> > Joshua -
> > My apologies for an HTML message.  That is all I have at work.
> >
> > How about this -
> > Block access to Ctrl-Alt-Del for Mr. Nice.
> > TIA
> > Ethan
> >
> >
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Re: [PHP-DB] Code Security

2015-02-13 Thread Karl DeSaulniers

And in the same way, don't let him withdraw money from your account while your 
logged into the ATM. I mean it sounds like mr. Nice shouldn't have a business. 
At all. 

Best,
Karl

Sent from losPhone

> On Feb 13, 2015, at 8:17 AM, "Arneson, Joshua"  
> wrote:
> 
> Ethan,
> 
>It seems like you're looking for a programmatic solution to a physical 
> security problem. In the end, your most viable solution will likely be to 
> train Mr. Goodguy to remove the key the same way he needs to remember his ATM 
> card after a withdrawal. I've seen programmatic work-arounds to solve similar 
> issues, but they have always ended up being significantly arduous for the end 
> users...
> 
> Respectfully,
>  
> Joshua D. Arneson
> 
> -Original Message-
> From: Ethan Rosenberg [mailto:erosenb...@hygeiabiomedical.com] 
> Sent: Friday, February 13, 2015 9:12 AM
> To: php-db@lists.php.net
> Subject: Re: [PHP-DB] Code Security
> 
>> On 02/13/2015 02:58 AM, Karl DeSaulniers wrote:
>> Prevent THIS from ever happening.
>> 
>>> On Feb 12, 2015, at 11:03 PM, Ethan Rosenberg 
>>>  wrote:
>>> 
>>> He asks Mr.[naive]Nice if he could look at the computer while it is logged 
>>> in.
>> 
>> 
>> Otherwise, I would say an external key that has a salt stored on it that the 
>> user has to insert in the computer before the system can be accessed.
>> Like an access key card. Immediate shut down when tampered and/or removed.
>> 
>> Just a stab in the dark though.
>> 
>> Best,
>> 
>> Karl DeSaulniers
>> Design Drumm
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__designdrumm.com&d=
>> AwIC-g&c=4R1YgkJNMyVWjMjneTwN5tJRn8m8VqTSNCjYLg1wNX4&r=pRBqy2P3JaV_0yI
>> qjAsPRpV2yZymYr9X5J_0Y74t654&m=kIedOn0p3VGnUZ1gfYdWWnG5241UJdD7tnYY_Ju
>> HC18&s=ig7LiGzP4X2ZJJMrsq4695g43cu8ghuBAAdEq6F3jrY&e=
> ---
> 
> Karl -
> 
> Thanks.
> 
> The key is already plugged in.  Mr [Naive] Nice is using the computer, and is 
> logged in.  Mr. Ugly just want to "look at" the computer.
> 
> Ethan
> 
> 
> 
> --
> PHP Database Mailing List 
> (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.php.net_&d=AwIC-g&c=4R1YgkJNMyVWjMjneTwN5tJRn8m8VqTSNCjYLg1wNX4&r=pRBqy2P3JaV_0yIqjAsPRpV2yZymYr9X5J_0Y74t654&m=kIedOn0p3VGnUZ1gfYdWWnG5241UJdD7tnYY_JuHC18&s=saaG6YC7fWss2eAYUsXw7GU0vdZKj74Uz3iVA1Enu40&e=
>  ) To unsubscribe, visit: 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.php.net_unsub.php&d=AwIC-g&c=4R1YgkJNMyVWjMjneTwN5tJRn8m8VqTSNCjYLg1wNX4&r=pRBqy2P3JaV_0yIqjAsPRpV2yZymYr9X5J_0Y74t654&m=kIedOn0p3VGnUZ1gfYdWWnG5241UJdD7tnYY_JuHC18&s=b2pGut3zlmECebRRBhfyRBYokCPeQHk8ZPkcdNA2RzQ&e=
>  
> 
> 
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DB] Re: Code Security

2015-02-13 Thread Karl DeSaulniers

Set up a password or a salt that Mr. Nice has to call you to get and expires on 
logout.  

Lol

Best,
Karl


Sent from losPhone

> On Feb 13, 2015, at 8:47 AM, erosenb...@hygeiabiomedical.com wrote:
> 
> 
> Ethan,
> It seems like you're looking for a programmatic solution to a physical
> security problem. In the end, your most viable solution will likely
> be to train Mr. Goodguy to remove the key the same way he needs to
> remember his ATM card after a withdrawal. I've seen programmatic
> work-arounds to solve similar issues, but they have always ended up
> being significantly arduous for the end users...
> Respectfully,
> Joshua D. Arneson
> -Original Message-From: Ethan Rosenberg
> [mailto:erosenb...@hygeiabiomedical.com] Sent: Friday, February 13,
> 2015 9:12 AMTo: php...@lists.php.netSubject: Re: [PHP-DB] Code
> Security
> On 02/13/2015 02:58 AM, Karl DeSaulniers wrote:> Prevent THIS from
> ever happening.>> On Feb 12, 2015, at 11:03 PM, Ethan Rosenberg
> wrote:>>> He asks Mr.[naive]Nice if he could look at the computer
> while it is logged in.>>> Otherwise, I would say an external key that
> has a salt stored on it that the user has to insert in the computer
> before the system can be accessed.> Like an access key card. Immediate
> shut down when tampered and/or removed.>> Just a stab in the dark
> though.>> Best,>> Karl DeSaulniers> Design Drumm
> Karl -
> Thanks.
> The key is already plugged in. Mr [Naive] Nice is using the computer,
> and is logged in. Mr. Ugly just want to "look at" the computer.
> Ethan--
> Joshua -
> My apologies for an HTML message.  That is all I have at work.
> 
> How about this -
> Block access to Ctrl-Alt-Del for Mr. Nice. 
> TIA
> Ethan
> 
> 

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DB] Re: php-db Digest 13 Feb 2015 05:03:55 -0000 Issue 5067

2015-02-13 Thread Geoffrey Pitman

"...so unfucking-secure that this should never see the light of day..."

Do you have a pseudonym named "Bastian Koert"? :-)
On Feb 13, 2015 12:04 AM,  wrote:

>
> php-db Digest 13 Feb 2015 05:03:55 - Issue 5067
>
> Topics (messages 48953 through 48953):
>
> Re: Code Security
> 48953 by: Ethan Rosenberg
>
> Administrivia:
>
> To subscribe to the digest, e-mail:
> php-db-digest-subscr...@lists.php.net
>
> To unsubscribe from the digest, e-mail:
> php-db-digest-unsubscr...@lists.php.net
>
> To post to the list, e-mail:
> php-db@lists.php.net
>
>
> --
>
>
> -- Forwarded message --
> From: Ethan Rosenberg 
> To: Bastien Koert 
> Cc: "php-db@lists.php.net" 
> Date: Fri, 13 Feb 2015 00:03:48 -0500
> Subject: Re: [PHP-DB] Code Security
> On 02/06/2015 02:45 PM, Bastien Koert wrote:
>
>> Hold on, so you've written a point of sale app that exists on the client
>> machine as whole? Does this
>> take credit card data?
>>
>> If so, its so un-fucking-secure that this should never see the light of
>> day. The CC companies won't
>> accept this at all and would remove any ability to accept CCs by the
>> business. This style of app is
>> in violation of so many terms of service (not to mention basic security
>> programming practices when
>> dealing with sensitive data).
>>
>> I worked with a guy who wrote an app like that (but not POS, still
>> sensitive data. I took one look
>> at it and yanked it from production and replaced it with a proper client
>> / server app. Its not safe,
>> its not secure and to code a POS on a single machine that the user has
>> access to is just dumb.
>>
>> I would strongly suggest that your client have a look at square or
>> similar if he wants to process CC
>> data.
>>
>> Bastien
>>
>> On Thu, Feb 5, 2015 at 11:24 PM, Ethan Rosenberg <
>> erosenb...@hygeiabiomedical.com
>> > wrote:
>>
>> On 02/05/2015 11:04 AM, Bastien Koert wrote:
>>
>> I'm with the two Richard's on this, those users shouldn't have
>> telnet
>> access to the host server at all. Users should be using the
>> browser to
>> access your site.
>>
>> Other than that, the most important thing you can do is to
>> regularly back
>> up your code and database to another location so that if
>> something happens
>> to the working box (and likely all tech products, its not IF its
>> WHEN) you
>> can restore the code and database with minimal data loss
>>
>> Bastien
>>
>> On Thu Feb 05 2015 at 9:39:43 AM Omar Muhsin > > wrote:
>>
>> You forgot this one "keep the box OFFLINE ... best security"
>> :-D
>>
>>
>> On 05-02-15 14:10, Richard Quadling wrote:
>>
>> 1 - Don't allow terminal access to your box.
>> 2 - Use a PHP byte code encoder (IonCube, Zend Guard) -
>> not perfect as
>>
>> they
>>
>> can be reversed to access the code in a form.
>> 3 - Don't use PHP.
>>
>>
>> 
>> Thanks to all.
>>
>> I apologize, but I did not properly define the problem I am
>> addressing. I have written code for
>> a POS [Point Of Sale] system to be used in a store.  I don't expect
>> the store owner to play with
>> the code.  His friends [or enemies] might try. There are two logins
>> to the computer, ethan [me]
>> and worker.  Worker has to be able to access the code to use it.  He
>> has to be blocked from
>> reading, writing or copying the code.
>>
>> How??
>>
>> TIA
>>
>> Ethan
>>
>>
>> Bastien
>>
>> Cat, the other other white meat  Grrr... I have a gingy cat, and she is
>> very nice.  Don't insult her [LOL]
>>
>
> ---
>
> Thanks all.
>
> Sorry, my fault by not being clear.
>
> The POS system is free standing and not on a network.
>
> The server is Apache.
>
> So 
>
> Mr Nice has bought my system.
>
> His friend, Mr. Ugly, wants to steal my code.
>
> He asks Mr.[naive]Nice if he could look at the computer while it is logged
> in.
>
> Ctrl-Alt-F1  A terminal.
>
> cd /var/www
>
> cp *.* memoryStick  He now has my code
>
> look at the code to find out where the passwords are stored and copy to
> memoryStick
>
> history |grep mys*  He has the login, and hopefully the password
>
> show databases;
>
>  /usr/bin/mysqldump -u root -p  Database > /pathtodatabasefolder/
> Database.sql
>
> Everything gone!!!
>
> How do I prevent the above?
>
> TIA
>
> Ethan
>
>
>

[PHP-DB] Re: Code Security

2015-02-13 Thread erosenberg


Ethan,
It seems like you're looking for a programmatic solution to a physical
security problem. In the end, your most viable solution will likely
be to train Mr. Goodguy to remove the key the same way he needs to
remember his ATM card after a withdrawal. I've seen programmatic
work-arounds to solve similar issues, but they have always ended up
being significantly arduous for the end users...
Respectfully,
Joshua D. Arneson
-Original Message-From: Ethan Rosenberg
[mailto:erosenb...@hygeiabiomedical.com] Sent: Friday, February 13,
2015 9:12 AMTo: php...@lists.php.netSubject: Re: [PHP-DB] Code
Security
On 02/13/2015 02:58 AM, Karl DeSaulniers wrote:> Prevent THIS from
ever happening.>> On Feb 12, 2015, at 11:03 PM, Ethan Rosenberg
wrote:>>> He asks Mr.[naive]Nice if he could look at the computer
while it is logged in.>>> Otherwise, I would say an external key that
has a salt stored on it that the user has to insert in the computer
before the system can be accessed.> Like an access key card. Immediate
shut down when tampered and/or removed.>> Just a stab in the dark
though.>> Best,>> Karl DeSaulniers> Design Drumm
Karl -
Thanks.
The key is already plugged in. Mr [Naive] Nice is using the computer,
and is logged in. Mr. Ugly just want to "look at" the computer.
Ethan--
Joshua -
My apologies for an HTML message.  That is all I have at work.

How about this -
Block access to Ctrl-Alt-Del for Mr. Nice. 
TIA
Ethan

RE: [PHP-DB] Code Security

2015-02-13 Thread Arneson, Joshua

Ethan,

It seems like you're looking for a programmatic solution to a physical 
security problem. In the end, your most viable solution will likely be to train 
Mr. Goodguy to remove the key the same way he needs to remember his ATM card 
after a withdrawal. I've seen programmatic work-arounds to solve similar 
issues, but they have always ended up being significantly arduous for the end 
users...

Respectfully,
 
Joshua D. Arneson

-Original Message-
From: Ethan Rosenberg [mailto:erosenb...@hygeiabiomedical.com] 
Sent: Friday, February 13, 2015 9:12 AM
To: php-db@lists.php.net
Subject: Re: [PHP-DB] Code Security

On 02/13/2015 02:58 AM, Karl DeSaulniers wrote:
> Prevent THIS from ever happening.
>
> On Feb 12, 2015, at 11:03 PM, Ethan Rosenberg 
>  wrote:
>
>> He asks Mr.[naive]Nice if he could look at the computer while it is logged 
>> in.
>
>
> Otherwise, I would say an external key that has a salt stored on it that the 
> user has to insert in the computer before the system can be accessed.
> Like an access key card. Immediate shut down when tampered and/or removed.
>
> Just a stab in the dark though.
>
> Best,
>
> Karl DeSaulniers
> Design Drumm
> https://urldefense.proofpoint.com/v2/url?u=http-3A__designdrumm.com&d=
> AwIC-g&c=4R1YgkJNMyVWjMjneTwN5tJRn8m8VqTSNCjYLg1wNX4&r=pRBqy2P3JaV_0yI
> qjAsPRpV2yZymYr9X5J_0Y74t654&m=kIedOn0p3VGnUZ1gfYdWWnG5241UJdD7tnYY_Ju
> HC18&s=ig7LiGzP4X2ZJJMrsq4695g43cu8ghuBAAdEq6F3jrY&e=
---

Karl -

Thanks.

The key is already plugged in.  Mr [Naive] Nice is using the computer, and is 
logged in.  Mr. Ugly just want to "look at" the computer.

Ethan



--
PHP Database Mailing List 
(https://urldefense.proofpoint.com/v2/url?u=http-3A__www.php.net_&d=AwIC-g&c=4R1YgkJNMyVWjMjneTwN5tJRn8m8VqTSNCjYLg1wNX4&r=pRBqy2P3JaV_0yIqjAsPRpV2yZymYr9X5J_0Y74t654&m=kIedOn0p3VGnUZ1gfYdWWnG5241UJdD7tnYY_JuHC18&s=saaG6YC7fWss2eAYUsXw7GU0vdZKj74Uz3iVA1Enu40&e=
 ) To unsubscribe, visit: 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.php.net_unsub.php&d=AwIC-g&c=4R1YgkJNMyVWjMjneTwN5tJRn8m8VqTSNCjYLg1wNX4&r=pRBqy2P3JaV_0yIqjAsPRpV2yZymYr9X5J_0Y74t654&m=kIedOn0p3VGnUZ1gfYdWWnG5241UJdD7tnYY_JuHC18&s=b2pGut3zlmECebRRBhfyRBYokCPeQHk8ZPkcdNA2RzQ&e=
 


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DB] Code Security

2015-02-13 Thread Ethan Rosenberg


On 02/13/2015 02:58 AM, Karl DeSaulniers wrote:

Prevent THIS from ever happening.

On Feb 12, 2015, at 11:03 PM, Ethan Rosenberg  
wrote:


He asks Mr.[naive]Nice if he could look at the computer while it is logged in.



Otherwise, I would say an external key that has a salt stored on it that the 
user has to insert in the computer before the system can be accessed.
Like an access key card. Immediate shut down when tampered and/or removed.

Just a stab in the dark though.

Best,

Karl DeSaulniers
Design Drumm
http://designdrumm.com

---

Karl -

Thanks.

The key is already plugged in.  Mr [Naive] Nice is using the computer, and is logged in.  Mr. Ugly 
just want to "look at" the computer.


Ethan



--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DB] Re: Code Security

Re: [PHP-DB] Code Security

Re: [PHP-DB] Re: Code Security

[PHP-DB] Re: php-db Digest 13 Feb 2015 05:03:55 -0000 Issue 5067

[PHP-DB] Re: Code Security

RE: [PHP-DB] Code Security

Re: [PHP-DB] Code Security

7 matches

Site Navigation

Mail list logo

Footer information